Hey all. I've got working samba AD server with dlz backend. To avoid performance issues I'm using external DNS which forwards queries for the AD zone to the Samba server, like that: zone "myadzone.int" {> type forward; > forwarders { 192.xx.x.xx; }; > };192.xx.x.xx = my AD Samba. This way it works alright, but on the external DNS I'm getting errors like:> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ > udp.AD.INT/SRV/IN': 192.xx.x.xx #53 > named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ > kkdcp.AD.INT/SRV/IN': 192.xx.x.xx #53 > named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ > http.AD.INT/SRV/IN': 192.xx.x.xx #53Which makes me wonder if there's something I'm missing. Can someone provide his working config? Thanks Z
On 28/06/2019 09:46, Zdravko Zdravkov via samba wrote:> Hey all. > I've got working samba AD server with dlz backend. To avoid performance > issues I'm using external DNS which forwards queries for the AD zone to the > Samba server, like that: > > > zone "myadzone.int" { >> type forward; >> forwarders { 192.xx.x.xx; }; >> }; > > 192.xx.x.xx = my AD Samba. > > This way it works alright, but on the external DNS I'm getting errors like: > > >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ >> udp.AD.INT/SRV/IN': 192.xx.x.xx #53 >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ >> kkdcp.AD.INT/SRV/IN': 192.xx.x.xx #53 >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ >> http.AD.INT/SRV/IN': 192.xx.x.xx #53 > > Which makes me wonder if there's something I'm missing. Can someone provide > his working config? > > Thanks > ZYou should be doing it the other way around. Your AD clients should be using the AD DC's as their nameservers and anything outside the AD dns domain should be forwarded to an external DNS server. Rowland
Greetings Rowland. Are you able to provide sample config about this? I'm not sure how exactly to resolve single zone with BIND and forward everything else to the next dns server. Thank you for the help On Fri, Jun 28, 2019 at 11:55 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 28/06/2019 09:46, Zdravko Zdravkov via samba wrote: > > Hey all. > > I've got working samba AD server with dlz backend. To avoid performance > > issues I'm using external DNS which forwards queries for the AD zone to > the > > Samba server, like that: > > > > > > zone "myadzone.int" { > >> type forward; > >> forwarders { 192.xx.x.xx; }; > >> }; > > > > 192.xx.x.xx = my AD Samba. > > > > This way it works alright, but on the external DNS I'm getting errors > like: > > > > > >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ > >> udp.AD.INT/SRV/IN': 192.xx.x.xx #53 > >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ > >> kkdcp.AD.INT/SRV/IN': 192.xx.x.xx #53 > >> named[20356]: REFUSED unexpected RCODE resolving '_kerberos._ > >> http.AD.INT/SRV/IN': 192.xx.x.xx #53 > > > > Which makes me wonder if there's something I'm missing. Can someone > provide > > his working config? > > > > Thanks > > Z > > You should be doing it the other way around. Your AD clients should be > using the AD DC's as their nameservers and anything outside the AD dns > domain should be forwarded to an external DNS server. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Rowland, On Fri, Jun 28, 2019, 04:55 Rowland penny via samba <samba at lists.samba.org> wrote:> You should be doing it the other way around. Your AD clients should be > using the AD DC's as their nameservers and anything outside the AD dns > domain should be forwarded to an external DNS server. >On this wiki page [1] it says:> For high traffic environments, it is not recommended to useBIND9_DLZ-backed samba as a primary DNS server. Instead, use an external server that only forwards queries to BIND9_DLZ-backed samba DNS installations when the query is addressed to a zone managed by that node. ...which seems to conflict. We've been weighing the pros/cons of the various architectures and wondering about this as well. Is it required that AD clients point directly at AD DCs? Are there certain DNS requests (e.g. updates) that won't be forwarded properly by an intermediary DNS server? [1]: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recommended_Architecture Jonathon>
Hai, If the setup is done correctly this shoud work fine Setup a (caching) bind9 dns server and add for every needed zone a forward. zone "primary.dnsdomain.tld" { type forward; forwarders { 192.168.1.2; 192.168.1.1; }; }; zone "168.192.in-addr.arpa" { type forward; forwarders { 192.168.1.2; 192.168.1.1; }; }; And your done. I use this on my 3 split-networked servers for years now. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jonathon Reinhart via samba > Verzonden: vrijdag 28 juni 2019 13:48 > Aan: Rowland Penny > CC: samba > Onderwerp: Re: [Samba] AD DLZ backend - 'proper' way of doing it > > Hi Rowland, > > On Fri, Jun 28, 2019, 04:55 Rowland penny via samba > <samba at lists.samba.org> > wrote: > > > You should be doing it the other way around. Your AD > clients should be > > using the AD DC's as their nameservers and anything outside > the AD dns > > domain should be forwarded to an external DNS server. > > > > On this wiki page [1] it says: > > > For high traffic environments, it is not recommended to use > BIND9_DLZ-backed samba as a primary DNS server. Instead, use > an external > server that only forwards queries to BIND9_DLZ-backed samba DNS > installations when the query is addressed to a zone managed > by that node. > > ...which seems to conflict. > > We've been weighing the pros/cons of the various architectures and > wondering about this as well. > > Is it required that AD clients point directly at AD DCs? Are > there certain > DNS requests (e.g. updates) that won't be forwarded properly by an > intermediary DNS server? > > > [1]: > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Recomm > ended_Architecture > > Jonathon > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- AD DLZ backend - 'proper' way of doing it
- Samba 4.7.4 + bind9 DLZ /backend/ dropping delegated domain
- Samba 4.7.4 + bind9 DLZ /backend/ dropping delegated domain
- Samba with BIND9 DLZ affecting internet speed
- Samba 4.7.4 + bind9 DLZ /backend/ dropping delegated domain